FBI warns banks about looming cyber attacks

The Federal Bureau of Investigation in the United States has issued a warning to major financial institutions suggesting that hackers are planning a serious global attack as soon as this weekend.

The U.S. federal investigator said hackers will target automated teller machines (ATM) with the attack, attempting to steal millions of dollars in a small window of time, likely after-hours when the banks are closed.

According to Theresa Payton, chief executive of cyber security firm Fortalice Solutions and former chief information officer at the White House between 2006 and 2008, the warning should be sounding alarm bells for banks, financial institutions and consumers everywhere.

“The FBI does not put warnings out like this. Often times by alerting the public, if they are working on a case, they are tipping their hand to the bad guys and it will disrupt an investigation,” said Payton. “When the FBI makes these decisions to make a public statement about this type of an issue and does it in an unclassified manner, everyone needs to take heed.”

The FBI’s warning was issued only to banks, but it was leaked online by well-known Internet security researcher Brian Krebs on Tuesday. He posted sections of the warning on his website Krebs on Security.

“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days,” reads the warning. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”

The warning stated that the hackers have the ability to remove maximum withdrawal limits, alter account balances and possibly even “create fraudulent copies of legitimate cards,” reads the warning.

The RCMP refused to comment on the warning Tuesday, referring all questions to Public Safety Canada, which is the federal department that oversees the Canadian Cyber Incident Response Centre.

“Generally, only in the event that an investigation results in the laying of criminal charges, would the RCMP confirm its investigation, the nature of any charges laid and the identity of the individual involved,” said Tania Vaughan, a spokeswoman with the RCMP.

Public Safety Canada refused to comment on the warning, deferring to Finance Canada.

“We are aware of the incident and are monitoring it closely with the Office of the Superintendent of Financial Institutions,” said Jack Aubry, director of media relations for Finance Canada.

“The Canadian financial sector is also aware of the situation, as are the Communications Security Establishment and the Canadian Cyber Incident Response Centre.”

Representatives from Moneris Payment Solutions, Canada’s largest financial technology company, would not comment.

Attempts to reach representatives from Canada’s major banks were unsuccessful.

The warning comes on the heels of a similar attack that saw $17.6 million stolen from Cosmos Co-Operative Bank in Pune, India, in June.

In May, the central bank of Mexico announced that hackers had stolen as much as $15 million from five companies by tapping into bank payment systems and performing numerous fraudulent transactions, including cash withdrawals.

Charles Henderson is the global managing partner of IBM Corp.’s X-Force Red. The division within IBM aims to find vulnerabilities in products before hackers can. Earlier this month the division announced it would be expanding to offer testing services specifically for ATM machines.

Henderson said, while financial institutions put a lot of effort into testing mobile phone apps and Internet banking, ATMs are a different story entirely. Many banks believe ATM machines are being tested by their manufacturers. Manufacturers assume that the banks will test the machines before they’re added to banking networks. In many cases, the ATMs are never actually tested for security vulnerabilities.

“What you’re seeing is financial institutions waking up to the fact that ATMs are not a magic box and they require testing,” said Henderson. “The most attractive target for a hacker is a target that has never tested before.”

Dave Masson, Canada country manager for security firm Darktrace and former manager at the Canadian Security Intelligence Service, said the FBI’s warning is aimed at heading off a major financial calamity. By telling the banks about the looming attack, financial institutions can be better prepared to monitor their networks for abnormal activity and staff their security teams appropriately.

For consumers, information security experts suggested activating instant notifications on bank accounts so that you can be notified as soon as there is a transaction involving one of your accounts and monitor balances closely.

This Week's Flyers

Comments

Postmedia is pleased to bring you a new commenting experience. We are committed to maintaining a lively but civil forum for discussion and encourage all readers to share their views on our articles. Comments may take up to an hour for moderation before appearing on the site. We ask you to keep your comments relevant and respectful. Visit our Community Guidelines for more information.